Introduction

This document describes how to use the embedded Wireshark feature of the Cisco Catalyst 3850 Series Switch that runs Version 3.3.0 or later in order to capture packets that ingress or egress the switch.

Prerequisites

Requirements

Cisco recommends that you have knowledge of Wireshark.

Components Used

The information in this document is based on the Cisco Catalyst 3850 Series Switch that runs Version 3.3.0 or later.

Restrictions

License: Requires IPBASE or IPSERVICES.

Capture filters are not supported.

Layer 2 and Layer 3 EtherChannels are not supported.

MAC Access Control List (ACL) is only used for non-IP packets such as ARP. It is not supported on a Layer 3 port or Switch Virtual Interface (SVI).

Switch CPU generated packets can be captured and must use the control-plane as the source interface.

It is not possible to capture rewrite information. Egress captures do not show and changes to the packet performed by the Cisco Catalyst 3850 Series Switch.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configuration Example

Here is a sample configuration. GigabitEthernet4/0/1 is injected with the Address Resolution Protocol (ARP) request for 10.10.10.1, which is located on the Cisco Catalyst 3850 Series Switch. The host is configured as 10.10.10.10. This configuration captures both ingress and egress on GigabitEthernet4/0/1, matches on any IPv4 packets, and stores it to the flash as mycap.pcap. Once the size of the file has reached 10MB or 100 packets, whichever comes first, the capture automatically stops. The file can also be stored to a USB flash drive, if you select usbflash0: and plug a USB into the front of the Cisco Catalyst 3850 Series Switch.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Capture Control-Plane Traffic

Here is a sample configuration that shows both ingress and egress traffic sourced to and from the Cisco Catalyst 3850 Series Switch itself. This is a great way to see what traffic hits the CPU of the Cisco Catalyst 3850 Series Switch. This can be combined in order to diagnose high CPU usage situations